This bug became one of my special one not only because it gave me handsome bounty but also because it was not easy to identify.
Observation:
The application was having use case to add more members in admin account which can invite and assign roles to the people respectively.
I found there was some random numbers being generated on PATCH method which also had few roles ID assigned in json body.
Attack:
I changed the last digit of ID from 141306 to 141316 and it gave me a lot of sensitive details of other member who have not even accepted the request ID…hmm easy peasy :D
Now, as I can clearly see the role ID on body and also I found that this application is using various HTTP methods.
I tricked the application by changing the method name from PATCH to DELETE 😉
